Virus and Spyware Removal Guides, uninstall instructions

What kind of scam is "DHL Express - Called But Got No Answer"?

We have analyzed this email and found that it is used to deliver a remote administration Trojan called njRat. Cybercriminals behind this campaign pretend to be DHL - a legitimate logistics company. Their goal is to trick recipients into opening a malicious attachment.

What kind of malware is HOUSELOCKER?

HOUSELOCKER is ransomware discovered by MalwareHunterTeam. This malware damages the Master Boot Record (MBR) to prevent victims from accessing the operating system. It also restarts the operating system and then displays a ransom note.

What is Gilfillan ransomware?

Gilfillan is the name of a malicious program categorized as ransomware, which belongs to the VoidCrypt malware family.

After launching a sample obtained from VirusTotal onto our test system, Gilfillan began encrypting files and appended their filenames with a unique ID, the cyber criminals' email address, and a ".Gilfillan" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.(MJ-ZB1807593246)(PaulGilfillan@cyberfear.com).Gilfillan".

Once the encryption process was completed, this ransomware displayed/created ransom notes titled "Decryption-Guide.HTA" and "Decryption-Guide.txt".

What kind of page is ovinspecutions[.]com?

We have discovered ovinspecutions[.]com while analyzing websites that use shady advertising networks (e.g., torrent sites, illegal movie streaming pages). After testing the ovinspecutions[.]com, we learned that it uses a clickbait technique to get permission to show notifications and redirects to deceptive pages.

What kind of malware is µ-2246-digits-of-pi?

µ-2246-digits-of-pi is the name or ransomware, a new variant of the DeezNuts Crypter ransomware. We have discovered this variant while examining malware samples submitted to VirusTotal. It was found that µ-2246-digits-of-pi encrypts files and inserts its name in their filenames. This ransom note provides ransom notes in a pop-window and the Pastebin page.

An example of how µ-2246-digits-of-pi ransomware renames files: it changes "1.jpg" to "1.µ-2246-digits-of-pi.jpg", "2.jpg" to "2.µ-2246-digits-of-pi.jpg", and so forth.

What kind of page is expressedsupply[.]com?

While inspecting dubious sites, our research team discovered expressedsupply[.]com. This rogue webpage loads deceptive content, promotes browser notification spam, and causes redirects to other (likely untrustworthy/malicious) websites. Visitors to such sites typically access them via others that employ rogue advertising networks.

What kind of scam is "DHL - YOUR GOODS ARE IN TRANSIT"?

Our team has examined this email and concluded that it is sent by scammers who seek to trick recipients into providing their passwords. The email is disguised as a letter from DHL (a legitimate logistics company)/a shipment notification. It contains an attachment (an HTML file) designed to open a deceptive page.

What is Toon Explorer?

Toon Explorer is a browser extension promising easy access to cartoon-related online content. We discovered this piece of software while inspecting deceptive download websites. After analyzing Toon Explorer, we determined that it operates as advertising-supported software (adware).

What is Magala?

Magala is a Trojan-clicker that performs a form of ad fraud (click fraud). The purpose of this clicker is to connect to specific websites and drive traffic to them. It imitates clicks on those websites. Typically, Trojan-clickers are used to drain the budget of competitors paying for advertising.

What is Cj ransomware?

During a routine inspection of new submissions on VirusTotal, our researchers found Cj - yet another ransomware belonging to the VoidCrypt family.

We executed Cj's sample on our test system, and it began encrypting files and appending their filenames with a unique ID, the attackers' email address, and a ".Cj" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.(MJ-WF7985203614)(decryptcj@gmail.com).Cj".

Following the completion of the encryption process, This ransomware displayed/created identical ransom notes named "Decryption-Guide.HTA" and "Decryption-Guide.txt".